iso271213中英文對照

1、Informationtechnology-Securitytechniques-Informationsecuritymanagementsystems-Requirements信息技術(shù)-平安技術(shù)-信息平安治理體系-要求ForewordISOtheInternationalOrganizationforStandardizationandIECtheInternationalElectrotechnic alCommissionformthespecializedsystemforworldwidestandardization.Nationalbodiesthatar emembersof

2、ISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnic alcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicala ctivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationa lorganizations,governmentalandnon-governmental,

3、inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechno logy,ISOandIEChaveestablishedajointtechnicalcommittee,ISO/IECJTC1.ISO 國際標準化組織和 IEC 國際電工委員會是為國際標準化制定專門體制的國際組 織.國家機構(gòu)是ISO或IEC的成員,他們通過各自的組織建立技術(shù)委員會參與國際標準的 制定,來處理特定領(lǐng)域的技術(shù)活動.ISO和IEC技術(shù)委員會在共同感興趣的領(lǐng)域合作.其他國際組織、政府和非政府等機構(gòu),通過聯(lián)絡(luò)ISO和IEC參與這項工作.

4、ISO和IEC已經(jīng)在信息技術(shù)領(lǐng)域建立了一個聯(lián)合技術(shù)委員會ISO/IECJTC1 .InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.國際標準的制定遵循ISO/IEC導(dǎo)那么第2局部的規(guī)那么.ThemaintaskofthejointtechnicalcommitteeistoprepareInternationalStandards.DraftInternation alStandardsadoptedbythejointtechnicalcommitteeareci

5、rculatedtonationalbodiesforvoting.Pu blicationasanInternationalStandardrequiresapprovalbyatleast75%ofthenationalbodiescastin gavote.聯(lián)合技術(shù)委員會的主要任務(wù)是起草國際標準,并將國際標準草案提交給國家機構(gòu)投票表決. 國際標準的出版發(fā)行必須至少75%以上的成員投票通過.''l,一" j "-_11 iIAttentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumen

6、tmaybethesubjectof patentrights.ISOandIECshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.本文件中的某些內(nèi)容有可能涉及一些專利權(quán)問題,這一點應(yīng)該引起注意.ISO和IEC不負責(zé)識別任何這樣的專利權(quán)問題.ISO/IEC27001waspreparedbyJointTechnicalCommitteeISO/IECJTC1,Informationtechnolo gy,SubcommitteeSC27,ITSecuritytechniques.ISO/IEC27001由聯(lián)合技術(shù)委員

7、會 ISO/IECJTC1 信息技術(shù)分委員會SC27 平安技術(shù) 起草.Thissecondeditioncancelsandreplacesthefirstedition(ISO/IEC27001:2005),whichhasbeent echnicallyrevised.第二版進行了技術(shù)上的修訂,并取消和替代第一版(ISO/IEC27001:2005 ).0Introduction引言1.1 General 0.1總那么 ThisInternationalStandardhasbeenpreparedtoproviderequirementsforestablishing,impleme n

8、ting,maintainingandcontinuallyimprovinganinformationsecuritymanagementsystem.Thead optionofaninformationsecuritymanagementsystemisastrategicdecisionforanorganization.Th eestablishmentandimplementationofan organization ' sinformationsecuritymaiagementsyste misinfluencedby theorganization ' sn

9、eenlsdobjectives,securityrequirements,theorganizatio nalprocessesusedandthesizeandstructureoftheorganization.Alloftheseinfluencingfactorsar eexpectedtochangeovertime.本標準用于為建立、實施、保持和持續(xù)改良信息平安治理體系提供要求.采用信息平安治理體系是組織的一項戰(zhàn)略性決策.一個組織信息平安治理體系的建立和實施受其需要和目標、安 全要求、所采用的過程以及組織的規(guī)模和結(jié)構(gòu)的影響.所有這些影響因素會不斷發(fā)生變化.Theinformati

10、onsecuritymanagementsystempreservestheconfidentiality,integrityandavailabi lityofinformationbyapplyingariskmanagementprocessandgivesconfidencetointerestedpartie sthatrisksareadequatelymanaged.信息平安治理體系通過應(yīng)用風(fēng)險治理過程來保持信息的保密性、-完整性和可用性,以充分管理風(fēng)險并給予相關(guān)方信心.Itisimportantthattheinformationsecuritymanagementsystem

11、ispartofandintegratedwiththeorg anization ' sprocessandoverallmanagementstructureandthatinformationsecurityisconsider edinthedesignofprocesses,informationsystems,andcontrols.Itisexpectedthataninformations ecuritymanagementsystemimplementationwillbescaledinaccordancewiththeneedsoftheorg anization

12、.信息平安治理體系是組織過程和整體治理結(jié)構(gòu)的一局部并與其整合在一起是非常重要的.信息平安在設(shè)計過程、信息系統(tǒng)、限制舉措時就要考慮信息平安.根據(jù)組織的需要實施信息安 全治理體系,是本標準所期望的. ThisInternationalStandardcanbeusedbyinternalandexternalpartiestoassess theorganization sabilitytomeettheorganization ' sowninformationsecurityrequirements.本標準可被內(nèi)部和外部相關(guān)方使用,評估組織的水平是否滿足組織自身信息平安要求.Theor

13、derinwhichrequirementsarepresentedinthisInternationalStandarddoesnotreflecttheiri mportanceorimplytheorderinwhichtheyaretobeimplemented.Thelistitemsareenumeratedforr eferencepurposeonly.本標準中要求的順序并不能反映他們的重要性或意味著他們的實施順序.列舉的條目僅用于參考目的.ISO/IEC27000describestheoverviewandthevocabularyofinformationsecurity

14、managements ystems,referencingtheinformationsecuritymanagementsystemfamilyofstandards(includingI SO/IEC270032,ISO/IEC270043andISO/IEC270054),withrelatedtermsanddefinitions.ISO/IEC27000描述了信息平安治理體系的概述和詞匯,參考了信息平安治理體系標準族 (包括 ISO/IEC27003、ISO/IEC27004 和 ISO/IEC27005 )以及相關(guān)的術(shù)語和定義.1.2 Compatibilitywithother

15、managementsystemstandards0.2與其他治理體系的兼容性ThisInternationalStandardappliesthehigh-levelstructure,identicalsub- 'I clausetitles,identicaltext,commonterms,andcoredefinitionsdefinedinAnnexSLofISO/IECDirei 1«r- I ctives,Part1,ConsolidatedISOSupplement,andthereforemaintainscompatibilitywithotherma

16、nagementsystemstandardsthathaveadoptedtheAnnexSL.本標準應(yīng)用了 ISO/IEC導(dǎo)那么第一局部ISO補充局部附錄 SL中定義的高層結(jié)構(gòu)、相同的子 章節(jié)標題、相同文本、通用術(shù)語和核心定義.因此保持了與其它采用附錄SL的治理體系標準的兼容性.ThiscommonapproachdefinedintheAnnexSLwillbeusefulforthoseorganizationsthatchooseto Fq 尸7J operateasinglemanagementsystemthatmeetstherequirementsoftwoormoreman

17、agementsys temstandards.附錄SL定義的通用方法對那些選擇運作單一治理體系(可同時滿足兩個或多個治理體系 標 準 要 求) 的 組織 來 說 是 十 分 有益 的.Informationtechnology Securitytechniques Informationsecuritymanagementsystems Requirements 信息技術(shù)-平安技術(shù)-信息平安治理體系 要求 1 Scope 1范圍 ThisInternationalStandardspecifiestherequirementsforestablishing,implementing,main

18、taini ngandcontinuallyimprovinganinformationsecuritymanagementsystemwithinthecontextofthe organization.本標準從組織環(huán)境的角度,為建立、實施、運行、保持和持續(xù)改良信息平安治理體系規(guī)定了要求.ThisInternationalStandardalsoincludesrequirementsfortheassessmentandtreatmentofinfor mationsecurityriskstailoredtotheneedsoftheorganization.Therequirement

19、ssetoutinthisIntern ationalStandardaregenericandareintendedtobeapplicabletoallorganizations,regardlessoftyp e,sizeornature.Excludinganyoftherequirementsspecifiedin Clauses4 to 10isnotacceptablewh enanorganizationclaimsconformitytothisInternationalStandard.本標準還規(guī)定了為適應(yīng)組織需要而定制的信息平安風(fēng)險評估和處置的要求.本標準規(guī)定的要求是通用

20、的,適用于各種類型、規(guī)模和特性的組織.組織聲稱符合本標準時,對于第4章到第10章的要求不能刪減. 2 Normativereferences 2標準性引用文件Thefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandarein dispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedref erences,thelatesteditionofthereferenceddocument

21、(includinganyamendments)applies.以下文件的全部或局部內(nèi)容在本文件中進行了標準引用,對于其應(yīng)用是必不可少的.但凡注日期的引用文件,只有引用的版本適用于本標準； 但凡不注日期的引用文件, 其最新版本(包 括任何修改)適用于本標準.ISO/IEC27000, Informationtechnology Securitytechniques Informationsecuritymanagementsystems Overviewandvocabulary ISO/IEC27000,信息技術(shù)一平安技術(shù)一信息平安治理體系一概述和詞匯 3 Termsanddefinitio

22、ns3 術(shù)語和定義Forthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC27000apply. ISO/IEC27000中的術(shù)語和定義適用于本標準. 4 Contextoftheorganization4組織環(huán)境 4.1 Understandingtheorganizationanditscontext4.1 理解組織及其環(huán)境Theorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeandth ataffectits

23、abilitytoachievetheintendedoutcome(s)ofitsinformationsecuritymanagementsyste m.組織應(yīng)確定與其目標相關(guān)并影響其實現(xiàn)信息平安治理體系預(yù)期結(jié)果的水平的外部和內(nèi)部問 題.NOTEDeterminingtheseissuesreferstoestablishingtheexternalandinternalcontextoftheorga nizationconsideredinClause5.3ofISO31000:20215.注：確定這些問題涉及到建立組織的外部和內(nèi)部環(huán)境,在ISO31000:20215的5.3節(jié)考慮了

24、這一事項.4.2 Understandingtheneedsandexpectationsofinterestedparties4.2理解相關(guān)方的需求和期望Theorganizationshalldetermine:組織應(yīng)確定：a) interestedpartiesthatarerelevanttotheinformationsecuritymanagementsystem;and b) therequirementsoftheseinterestedpartiesrelevanttoinformationsecurity.a) 與信 息平安治理體系有關(guān)的相關(guān)方；b)這些相關(guān)方與信息平安有關(guān)

25、的要求NOTETherequirementsofinterestedpartiesmayincludelegalandregulatoryrequirementsandco ntractualobligations.注：相關(guān)方的要求可能包括法律法規(guī)要求和合同義務(wù).4.3 Determiningthescopeoftheinformationsecuritymanagementsystem4.4 確定信息平安治理體系的范圍Theorganizationshalldeterminetheboundariesandapplicabilityoftheinformationsecurityman ag

26、ementsystemtoestablishitsscope.- 組織應(yīng)確定信息平安治理體系的邊界和適用性,以建 立其范圍.Whendeterminingthisscope,theorganizationshallconsider:當(dāng)確定該范圍時,組織應(yīng)考慮：a) theexternalandinternalissuesreferredtoin 4.1;b) therequirementsreferredtoin 4.2;andc) interfacesanddependenciesbetweenactivitiesperformedbytheorganization,andthosethat

27、 areperformedbyotherorganizations.Thescopeshallbeavailableasdocumentedinformation.a在4.1中提及的外部和內(nèi)部問題；b在4.2中提及的要求；c組織所執(zhí)行的活動之間以及與其它組織的活動之間的接口和依賴性范圍應(yīng)文件化并保持可 用性.4.5 Informationsecuritymanagementsystem4.6 信息平安治理體系Theorganizationshallestablish,implement,maintainandcontinuallyimproveaninformationsec uAtymana

28、gementsystemjnaccordancewiththerequirementsofthisInternationalStandard.組織應(yīng)根據(jù)本標準的要求建立、實施、保持和持續(xù)改良信息平安治理體系.'.'U I15 Leadership5領(lǐng)導(dǎo)5.1 Leadershipandcommitment5 .1領(lǐng)導(dǎo)和承諾Topmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheinformations ecuritymanagementsystemby:高層治理者應(yīng)通過以下方式展示其關(guān)于信息平安治理

29、體系的 領(lǐng)導(dǎo)力和承諾：a) ensuringtheinformationsecuritypolicyandtheinformationsecurityobjectivesareestablished andarecompatiblewiththestrategicdirectionoftheorganization;b) ensuringtheintegrationoftheinformationsecuritymanagementsystemrequirementsintothe organization ' sprocesses;c) ensuringthattheresource

30、sneededfortheinformationsecuritymanagementsystemareavail able;d) communicatingtheimportanceofeffectiveinformationsecuritymanagementandofconformi ngtotheinformationsecuritymanagementsystemrequirements;e) ensuringthattheinformationsecuritymanagementsystemachievesitsintendedoutcome(s);f) directingandsu

31、pportingpersonstocontributetotheeffectivenessoftheinformationsecuritym anagementsystem;g) promotingcontinualimprovement;andh) supportingotherrelevantmanagementrolestodemonstratetheirleadershipasitappliestoth eirareasofresponsibility.a)保證建立信息平安方針和信息平安目標,并與組織的戰(zhàn)略方向保持一致； b)保證將信息平安治理體系要求整合到組織的業(yè)務(wù)過程中；c)保證信

32、息平安治理體系所需資源可用；d)傳達信息平安治理有效實施、符合信息平安治理體系要求的重要性；e)保證信息平安治理體系實現(xiàn)其預(yù)期結(jié)果；f)指揮并支持人員為信息平安治理體系的有效實施作出奉獻； g)促進持續(xù)改良；h)支持其他相關(guān)治理角色在其責(zé)任范圍內(nèi)展示他們的領(lǐng)導(dǎo)力.5.2 Policy5.3 方針Topmanagementshallestablishaninformationsecuritypolicythat:高層治理者應(yīng)建立信息平安方針,以：a） isappropriatetothepurposeoftheorganization;Ib） includesinformationsecurit

33、yobjectives(see 6.2 )orprovidestheframeworkforsettinginforma tionsecurityobjectives;c） includesacommitmenttosatisfyapplicablerequirementsrelatedtoinformationsecurity;d） includesacommitmenttocontinualimprovementoftheinformationsecuritymanagementsy stem.Theinformationsecuritypolicyshall:e） beavailable

34、asdocumentedinformation;f） becommunicatedwithintheorganization;andg） beavailabletointerestedparties,asappropriate.a 適 于組織的目標；b包含信息平安目標見 6.2或設(shè)置信息平安目標提供框架； c包含滿足適用的信息平安相關(guān)要求的承諾；d包含信息平安治理體系持續(xù)改良的承諾.信息安 全方針應(yīng)：e文件化并保持可用性； f在組織內(nèi)部進行傳達； g適當(dāng)時,對相關(guān)方可用.5.4 Organizationalroles,responsibilitiesandauthorities5.3組織角色、

35、責(zé)任和權(quán)限Topmanagementshallensurethattheresponsibilitiesandauthoritiesforrolesrelevanttoinformat ionsecurityareassignedandcommunicated.高層治理者應(yīng)保證分配并傳達了信息平安相關(guān)角色的責(zé)任和權(quán)限.< x I； J ' ,Topmanagementshallassigntheresponsibilityandauthorityfor:高層治理者應(yīng)分配以下責(zé)任和權(quán)限：a） ensuringthattheinformationsecuritymanagements

36、ystemconformstotherequirementsoft hisInternationalStandard;andb） reportingontheperformanceoftheinformationsecuritymanagementsystemtotopmanagem ent.a保證信息平安治理體系符合本標準的要求； b將信息平安治理體系的績效報告給高層治理者.NOTETopmanagementmayalsoassignresponsibilitiesandauthoritiesforreportingperforman ceoftheinformationsecurityma

37、nagementsystemwithintheorganization. 注：高層治理者可能 還要分配在組織內(nèi)部報告信息平安治理體系績效的責(zé)任和權(quán)限.6 Planning6規(guī)劃6.1 Actionstoaddressrisksandopportunities6.1應(yīng)對風(fēng)險和時機的舉措6.1.1 General6.1.2 總那么Whenplanningfortheinformationsecuritymanagementsystem,theorganizationshallconsidert heissuesreferredtoin 4.1 andtherequirementsreferredt

38、oin 4.2 anddeterminetherisksandopport unitiesthatneedtobeaddressedto:當(dāng)規(guī)劃信息平安治理體系時,組織應(yīng)考慮4.1中提及的問題和4.2中提及的要求,確定需要應(yīng)對的風(fēng)險和時機,以：a) ensuretheinformationsecuritymanagementsystemcanachieveitsintendedoutcome(s);b) prevent,orreduce,undesiredeffects;andc) achievecontinualimprovement.T I I J/(heorganizationshall

39、plan:d) actionstoaddresstheserisksandopportunities;ande) howto1) integrateandimplementtheactionsintoitsinformationsecuritymanagementsystemproces ses;2) evaluatetheeffectivenessoftheseactions.a) 保證信息平安治理體系能實現(xiàn)其預(yù)期結(jié)果； b)預(yù)防或減少意外的影響；c) 實現(xiàn)持續(xù)改良.組織應(yīng)規(guī)劃：d)應(yīng)對這些風(fēng)險和時機的舉措；e)如何1)整合和實施這些舉措并將其納入信息平安治理體系過程；2)評價這些舉措的有效

40、性.6.1.3 Informationsecurityriskassessment6.1.2信息平安風(fēng)險評估Theorganizationshalldefineandapplyaninformationsecurityriskassessmentprocessthat:組織應(yīng)定義并應(yīng)用風(fēng)險評估過程,以：a) establishesandmaintainsinformationsecurityriskcriteriathatinclude:1) theriskacceptancecriteria;and2) criteriaforperforminginformationsecurityrisk

41、assessments;b) ensuresthatrepeatedinformationsecurityriskassessmentsproduceconsistent,validandco mparableresults;c) identifiestheinformationsecurityrisks:1) applytheinformationsecurityriskassessmentprocesstoidentifyrisksassociatedwiththelo ssofconfidentiality,integrityandavailabilityforinformationwi

42、thinthescopeoftheinformationse curitymanagementsystem;and2) identifytheriskowners;d) analysestheinformationsecurityrisks:1) assessthepotentialconsequencesthatwouldresultiftherisksidentifiedin 6.1.2 c)1)wereto materialize;2) assesstherealisticlikelihoodoftheoccurrenceoftherisksidentifiedin 6.1.2 c)1)

43、;and3) determinethelevelsofrisk;e) evaluatestheinformationsecurityrisks:1) comparetheresultsofriskanalysiswiththeriskcriteriaestablishedin 6.1.2 a);and2) prioritizetheanalysedrisksforrisktreatment.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityriskassessm1»'iT'

44、;-. 'I , -entprocess.a)建立并保持信息平安風(fēng)險準那么,包括：1)風(fēng)險接受準那么；2)執(zhí)行信息平安風(fēng)險評估的準那么；/ ；b)保證重復(fù)性的信息平安風(fēng)險評估可產(chǎn)生一致的、有效的和可比擬的結(jié)果；c)識別信息平安風(fēng)險：1)應(yīng)用信息平安風(fēng)險評估過程來識別信息平安治理體系范圍內(nèi)的信息喪失保密性、完整性和可用性的相關(guān)風(fēng)險；2)識別風(fēng)險負責(zé)人；d)分析信息平安風(fēng)險：1)評彳t 6.1.2c) 1)中所識別風(fēng)險發(fā)生后將導(dǎo)致的潛在影響；2)評彳t 6.1.2c) 1)中所識別風(fēng)險發(fā)生的現(xiàn)實可能性；3)確定風(fēng)險級別；e)評價信息平安風(fēng)險；1)將風(fēng)險分析結(jié)果同6.1.2a)建立的風(fēng)險準那

45、么進行比擬；2)為實施風(fēng)險處置確定已分析風(fēng)險的優(yōu)先級.組織應(yīng)定義并應(yīng)用風(fēng)險評估過程,以：組織應(yīng)保存信息平安風(fēng)險評估過程的文件記錄信息.6.1.3 Informationsecurityrisktreatment6.1.3信息平安風(fēng)險處置Theorganizationshalldefineandapplyaninformationsecurityrisktreatmentprocessto:a) selectappropriateinformationsecurityrisktreatmentoptions,takingaccountoftheriskassess mentresults;b)

46、determineallcontrolsthatarenecessarytoimplementtheinformationsecurityrisktreatmento ption(s)chosen;組織應(yīng)定義并應(yīng)用信息平安風(fēng)險處置過程,以：a)在考慮風(fēng)險評估結(jié)果的前提下,選擇適當(dāng)?shù)男畔⑵桨诧L(fēng)險處置選項：b為實施所選擇的信息平安風(fēng)險處置選項,確定所有必需的限制舉措；NOTEOrganizationscandesigncontrolsasrequired,oridentifythemfromanysource.注：組織可按要求設(shè)計限制舉措,或從其他來源識別限制舉措.c) comparethecon

47、trolsdeterminedin 6.1.3 b)abovewiththosein AnnexA andverifythatnoneces sarycontrolshavebeenomitted;c)將6.1.3b )所確定的限制舉措與附錄A的限制舉措進行比擬,以核實沒有遺漏必要的限制舉措；NOTE1 AnnexA containsacomprehensivelistofcontrolobjectivesandcontrols.UsersofthisInter nationalStandardaredirectedto AnnexA toensurethatnonecessarycontro

48、lsareoverlooked. NOTE2Controlobjectivesareimplicitlyincludedinthecontrolschosen.Thecontrolobjectivesand controlslistedin AnnexA arenotexhaustiveandadditionalcontrolobjectivesandcontrolsmayben eeded.注1:附錄A包含了一份全面的限制目標和限制舉措的列表.本標準用戶可利用附錄A以確不會遺漏必要的限制舉措.注 2:限制目標包含于所選擇的限制舉措內(nèi).附錄 A所列的控 制目標和限制舉措并不是所有的限制目標和限

49、制舉措,組織也可能需要另外的限制目標和 限制舉措.d) produceaStatementofApplicabilitythatcontainsthenecessarycontrols(see 6.1.3 b)andc)an djustificationforinclusions,whethertheyareimplementedornot,andthejustificationforexclusion sofcontrolsfrom AnnexA ;e) formulateaninformationsecurityrisktreatmentplan;and f) obta inriskown

50、ers ' approvjftheinformationsecurityrisktreatmentplanandacceptanceofth eresidualinformationsecurityrisks.Theorganizationshallretaindocumentedinformationabouttheinformationsecurityrisktreatmen tprocess.d)產(chǎn)生適用性聲明.適用性聲明要包含必要的限制舉措(見 6.1.3b)和c)、對包含的合 理性說明(無論是否已實施)以及對附錄A限制舉措刪減的合理性說明；e)制定信息平安風(fēng)險處置方案；f)獲

51、得風(fēng)險負責(zé)人對信息平安風(fēng)險處置方案以及接受信息平安剩余風(fēng)險的批準.組織應(yīng)保存 信息平安風(fēng)險處置過程的文件記錄信息.NOTETheinformationsecurityriskassessmentandtreatmentprocessinthisInternationalStand ardalignswiththeprinciplesandgenericguidelinesprovidedinISO31000 5. 注：本標準中的信息平安風(fēng)險評估和處置過程可與ISO310005中規(guī)定的原那么和通用指南相結(jié)合.6.2Informationsecurityobjectivesandplanningt

52、oachievethem6.2息平安目標和規(guī)劃實現(xiàn)Theorganizationshallestablishinformationsecurityobjectivesatrelevantfunctionsandlevels.Theinformationsecurityobjectivesshall:組織應(yīng)在相關(guān)職能和層次上建立信息平安目標.信息平安目標應(yīng)：a) beconsistentwiththeinformationsecuritypolicy;b) bemeasurable(ifpracticable);c) takeintoaccountapplicableinformationsec

53、urityrequirements,andresultsfromriskassessm entandrisktreatment;d) becommunicated;ande) beupdatedasappropriate.Theorganizationshallretaindocumentedinformationontheinformationsecurityobjectives.Whe nplanninghowtoachieveitsinformationsecurityobjectives,theorganizationshalldetermine: f) whatwillbedone;

54、g) whatresourceswillberequired;h) whowillberesponsible;i) whenitwillbecompleted;andj) howtheresultswillbeevaluated.a)與信息平安方針一致；b可測量如可行；c考慮適用的信息平安要求以及風(fēng)險評估和風(fēng)險處置結(jié)果;d被傳達；e適當(dāng)時進行更新.組織應(yīng)保存關(guān)于信息平安目標 的文件記錄信息.當(dāng)規(guī)劃如何實現(xiàn)其信息平安目標時,組織應(yīng)確定：f要做什么；g需要什么資源；h由誰負責(zé)；i什么時候完成；j如何評價結(jié)果.7 Support7支持7.1 Resources7.2 資源Theorganizatio

55、nshalldetermineandprovidetheresourcesneededfortheestablishment,imple mentation,maintenanceandcontinualimprovementoftheinformationsecuritymanagementsys tem.組織應(yīng)確定并提供建立、實施、保持和持續(xù)改良信息平安治理體系所需的資源.7.3 Competence7.4 水平Theorganizationshall:a) determinethenecessarycompetenceofperson(s)doingworkunderitscontrol

56、thataffectsitsinf ormationsecurityperformance;b) ensurethatthesepersonsarecompetentonthebasisofappropriateeducation,training,orexp erience;c) whereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectiv enessoftheactionstaken;andd) retainappropriatedocumentedinformationasevidenc

57、eofcompetence.組織應(yīng)：a)確定從事影響信息平安執(zhí)行工作的人員在組織的限制下從事其工作的必要水平； b)保證人員在適當(dāng)教育,培訓(xùn)和經(jīng)驗的根底上能夠勝任工作； c)適用時,采取舉措來獲得必要的水平,并評價所采取舉措的有效性； d)保存適當(dāng)?shù)奈募涗浶畔⒆鳛樗椒矫娴淖C據(jù).NOTEApplicableactionsmayinclude,forexample:theprovisionoftrainingto,thementoringof,ort hereassignmentofcurrentemployees;orthehiringorcontractingofcompetentpers

58、ons.注：例如適當(dāng)舉措可能包括為現(xiàn)有員工提供培訓(xùn)、對其進行指導(dǎo)或重新分配工作； 雇用或簽約有水平的人員.- '|7.3 Awareness7.3意識Personsdoingworkundertheorganization ' scontrolshbelawareof:a) theinformationsecuritypolicy;b) theircontributiontotheeffectivenessoftheinformationsecuritymanagementsystem,includin gthebenefitsofimprovedinformationsecurityperformance;andc) theimplicationso